Analysis

Category Package Started Completed Duration Options Log
FILE exe 2019-11-08 21:04:01 2019-11-08 21:04:19 18 seconds Show Options Show Log
  • Info: Analysis failed: The package "modules.packages.exe" start function raised an error: Unable to execute the initial process, analysis aborted.
procdump = 1
2019-11-08 21:04:02,000 [root] INFO: Date set to: 11-08-19, time set to: 21:04:02, timeout set to: 200
2019-11-08 21:04:02,000 [root] DEBUG: Starting analyzer from: C:\mbnqpif
2019-11-08 21:04:02,000 [root] DEBUG: Storing results at: C:\PhdDIkrAsz
2019-11-08 21:04:02,000 [root] DEBUG: Pipe server name: \\.\PIPE\lnsOyOw
2019-11-08 21:04:02,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-11-08 21:04:02,015 [root] INFO: Automatically selected analysis package "exe"
2019-11-08 21:04:02,326 [root] DEBUG: Started auxiliary module Browser
2019-11-08 21:04:02,326 [root] DEBUG: Started auxiliary module Curtain
2019-11-08 21:04:02,326 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-11-08 21:04:02,811 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-11-08 21:04:02,811 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-11-08 21:04:02,811 [root] DEBUG: Started auxiliary module DigiSig
2019-11-08 21:04:02,811 [root] DEBUG: Started auxiliary module Disguise
2019-11-08 21:04:02,811 [root] DEBUG: Started auxiliary module Human
2019-11-08 21:04:02,811 [root] DEBUG: Started auxiliary module Screenshots
2019-11-08 21:04:02,811 [root] DEBUG: Started auxiliary module Sysmon
2019-11-08 21:04:02,811 [root] DEBUG: Started auxiliary module Usage
2019-11-08 21:04:02,811 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2019-11-08 21:04:02,811 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2019-11-08 21:04:02,825 [lib.api.process] ERROR: Failed to execute process from path "C:\Users\user\AppData\Local\Temp\v0PfDbigW.exe" with arguments "None" (Error: The %1 application cannot be run in Win32 mode (ERROR_CHILD_NOT_COMPLETE))
2019-11-08 21:04:02,825 [root] ERROR: Traceback (most recent call last):
  File "C:\mbnqpif\analyzer.py", line 1332, in <module>
    success = analyzer.run()
  File "C:\mbnqpif\analyzer.py", line 1151, in run
    "error: {1}".format(package_name, e))
CuckooError: The package "modules.packages.exe" start function raised an error: Unable to execute the initial process, analysis aborted.
Traceback (most recent call last):
  File "C:\mbnqpif\analyzer.py", line 1332, in <module>
    success = analyzer.run()
  File "C:\mbnqpif\analyzer.py", line 1151, in run
    "error: {1}".format(package_name, e))
CuckooError: The package "modules.packages.exe" start function raised an error: Unable to execute the initial process, analysis aborted.

MalScore

1.0

Benign

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-11-08 21:04:01 2019-11-08 21:04:17

File Details

File Name f60f2d932b43b5ff7684c2d28ae0193d
File Size 12544 bytes
File Type PE32 executable (native) Intel 80386, for MS Windows
MD5 f60f2d932b43b5ff7684c2d28ae0193d
SHA1 b0e4defcd577f611173fc570e92e431a23ddd440
SHA256 dd1bb8fb86dce78792c1782e00669871e163e6d28f95647dd6397d158bba2471
SHA512 7e27d251346939bb3150c95ae9a53e8b41e4ff32d5cd188dbf8e68d3755aeec0e78c800f5c1a7ca090565bcc77f1a12df0a53c14d9da6ec3772b509bb6af327a
CRC32 D91FDCAD
Ssdeep 192:X8BdjF8czaPIZsasCU6Gi4E4ak1fOnLeUigd3Af1fUp5rVHkVKba88PtBrCtKS3a:X8MIL6Ai5LBAPEKICUS3ZB6X
TrID
  • 42.7% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 19.2% (.EXE) OS/2 Executable (generic) (2029/13)
  • 18.9% (.EXE) Generic Win/DOS Executable (2002/3)
  • 18.9% (.EXE) DOS Executable Generic (2000/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

The binary contains an unknown PE section name indicative of packing
unknown section: name: INIT, entropy: 4.96, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000400, virtual_size: 0x0000039e

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

PE Information

Image Base 0x00010000
Entry Point 0x00012590
Reported Checksum 0x0000f4de
Actual Checksum 0x0000f4de
Minimum OS Version 5.1
Compile Time 2008-08-29 14:57:20
Import Hash 7012fc35bbc20eb530e8d5b4f3464409

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00000300 0x00002368 0x00002380 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_NOT_PAGED|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.89
.rdata 0x00002680 0x00000204 0x00000280 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_NOT_PAGED|IMAGE_SCN_MEM_READ 2.49
.data 0x00002900 0x000000b8 0x00000100 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_NOT_PAGED|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.07
INIT 0x00002a00 0x0000039e 0x00000400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.96
.reloc 0x00002e00 0x000002aa 0x00000300 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 5.07

Imports

Library ntoskrnl.exe:
0x12680 ExFreePoolWithTag
0x12688 memcpy
0x1268c memset
0x12694 _except_handler3
0x12698 ObQueryNameString
0x126a4 ProbeForRead
0x126a8 ExGetPreviousMode
0x126ac toupper
0x126b0 KeReleaseMutex
0x126c0 MmIsAddressValid
0x126c8 ZwEnumerateKey
0x126d0 NtBuildNumber
0x126dc IoDriverObjectType
0x126e0 ZwClose
0x126e8 ZwDuplicateToken
0x126ec ZwOpenProcessToken
0x126f0 ZwOpenProcess
0x126f4 IofCompleteRequest
0x126f8 KeInitializeMutex
0x126fc IoDeleteDevice
0x12708 IoCreateDevice

.text
h.rdata
H.data
.reloc
ExFreePoolWithTag
RtlAppendUnicodeToString
memcpy
memset
ExAllocatePoolWithTag
_except_handler3
ObQueryNameString
ObfDereferenceObject
ObReferenceObjectByHandle
ProbeForRead
ExGetPreviousMode
toupper
KeReleaseMutex
KeWaitForSingleObject
RtlFreeUnicodeString
RtlCopyUnicodeString
MmIsAddressValid
RtlInitUnicodeString
ZwEnumerateKey
KeServiceDescriptorTable
NtBuildNumber
RtlAppendUnicodeStringToString
ObReferenceObjectByName
IoDriverObjectType
ZwClose
ZwSetInformationProcess
ZwDuplicateToken
ZwOpenProcessToken
ZwOpenProcess
IofCompleteRequest
KeInitializeMutex
IoDeleteDevice
IoDeleteSymbolicLink
IoCreateSymbolicLink
IoCreateDevice
ntoskrnl.exe
8 808t8x8
\FileSystem\Ntfs
\FileSystem\Ntfs
\Device\fsdf2w
\DosDevices\fsdf2w
This file is not on VirusTotal.

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.

Comments



No comments posted

Processing ( 0.261 seconds )

  • 0.114 TrID
  • 0.057 CAPE
  • 0.054 TargetInfo
  • 0.023 Static
  • 0.007 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 0.045 seconds )

  • 0.008 ransomware_files
  • 0.007 antiav_detectreg
  • 0.003 persistence_autorun
  • 0.003 antiav_detectfile
  • 0.003 infostealer_ftp
  • 0.003 ransomware_extensions
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_im
  • 0.001 tinba_behavior
  • 0.001 rat_nanocore
  • 0.001 cerber_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antianalysis_detectreg
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 modify_proxy
  • 0.001 disables_browser_warn
  • 0.001 infostealer_mail
  • 0.001 masquerade_process_name

Reporting ( 0.0 seconds )

Task ID 108511
Mongo ID 5dc5d85603bfea2d656a0b91
Cuckoo release 1.3-CAPE
Delete